Impact analysis is needed
The PSD2 RTS has been in force for only two years (applicable from September 14, 2019) and it took almost a year for ASPSPs and TPPs to implement the use of dedicated interfaces. Something to keep in mind is also that there are different types of account information services in the market, like the situation described in EBA/OP/2020/10 point 28 and 35, where the service is only used as a one off to extract the account number for a single payment. For that reason, an exhaustive analysis is necessary. It must be orderly evaluated if the proposed change could impact the level of consumer protection. Such analysis would also help recognise if the proposal would ensure trust for open payments and for all types of PSP. Any measures taken should increase the confidence and trust in all PSPs in the value chain.
Further, it should be well noted that the proposed suggested exemption will benefit one type of PSP i.e. the AISP. This would distort the competition, deviating from the principle of “same activity, same risk, same rules”. We would support a framework in which the entity that benefits from the advantages of SCA exemption should also have the burden of proof and manage the relationship with the customer in case of complaints (as it is the case by the way also in the cards world already now). The proposed amendments to Article 10 in the RTS does not provide a fair balance between AISPs and ASPSPs.
Challenges with mandatory exemption
We observe that if the exemption will be mandatory, there are technical limitations that would make it feasible for the dedicated interfaces only, and not for the user interfaces. For the user interface case, the mandatory exemption would mean that the banks using this interface option would either need to use the exemption mandatory in their own use cases and/or separate the AIS cases from their own use cases which is likely difficult technically.
Further, Article 97(1) stipulates that PSP shall apply strong customer authentication in certain situations and 98(1) gives the EBA the mandate to exemptions from the application of SCA. It is questionable however whether this gives the EBA the mandate to make the exemption mandatory as a mandatory exemption is not an exemption but an intrusion of Article 97 SCA requirements. This should instead be a topic for a future discussion in the upcoming PSD2 review.
In the draft RTS, EBA only seems to consider account information services that provide customers with aggregated account information on an ongoing basis. Where an account information service is a one-off service, the PSU only expects a one-time access and does not expect the use of a 180 days access token that - in worst case - makes its data accessible on an unprotected devise. In these cases, there is no need for the AISP to be able to access the data within 180 days without performance of a new SCA.
A reduced level of security increases the risk of unauthorized access to data. Therefore, we believe that in relation to the criteria in article 98(3) setting a mandatory exemption would require the EBA to make the assumption and ex-ante assessment that the risk-level will always and in all AIS situations be on a low level, contradicting the requirements set in RTS Article 1(b) and hence not fulfilling the requirements in Article 98(3):
a) the level of risk involved in the service provided;
b) the amount, the recurrence of the transaction, or both;
c) the payment channel used for the execution of the transaction.
In the final report on draft RTS on SCA an CSC EBA/RTS/2017/02 the EBA stated the EBA considered that the 90 days to be an appropriate balance. We lack a substantial analysis on the real need to extent the timeline, and how such extension could impact the level of consumer integrity protection. We encourage the EBA to analyse this further, as part of the upcoming review of PSD2. If it really does make a difference for the customer this needs to be carefully motivated to ensure long term consumer protection and trust of the Open Banking industry.
From a Swedish point of view, with customers accustomed to using their digital ID with fingerprint several times a day, our view is that it would not be that burdensome for the customer to perform an SCA per 90-days period.